cloudflare · cloudflare-noelle · Mar 20, 2026 · Mar 20, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -5,17 +5,18 @@ tags:
   - Logging
 sidebar:
   order: 2
-head: []
 description: Use Access authentication logs to review authentication events and
   requests to protected URI paths and infrastructure targets.
 ---
 
-import { GlossaryTooltip, TabItem, Tabs, APIRequest } from "~/components";
+import { GlossaryTooltip, TabItem, Tabs, APIRequest, InlineBadge } from "~/components";
+
+Access authentication logs use an updated log viewer <InlineBadge preset="beta" /> with the following capabilities: filter by field, customize columns, view details by selecting a timestamp, and switch to the classic view. Querying for fewer fields improves log loading performance.
 
 Cloudflare Access generates two types of audit logs:
 
-- **[Authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-logs)** maintain a record of authentication events.
-- **[Per-request audit logs](/cloudflare-one/insights/logs/audit-logs/#per-request-logs)** record requests to protected URI paths and infrastructure targets.
+- **[Authentication audit logs](#authentication-logs)** maintain a record of authentication events.
+- **[Per-request audit logs](#per-request-logs)** record requests to protected URI paths and infrastructure targets.
 
 ## Authentication logs
 

@@ -0,0 +1,28 @@
+---
+pcx_content_type: reference
+title: Admin activity logs
+sidebar:
+  order: 1
+description: Monitor when a member on your account creates, updates, or deletes configurations.
+---
+
+Admin activity logs record configuration changes made by members of your Cloudflare account. Use these logs to monitor when a member creates, updates, or deletes configurations in your Zero Trust organization.
+
+To view admin activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **Admin activity logs**.
+
+## Explanation of the fields
+
+| Field                 | Description                                                        |
+| --------------------- | ------------------------------------------------------------------ |
+| **Action timestamp**  | Date and time when the change occurred.                            |
+| **Action type**       | Type of action taken (for example, `create`, `update`, `delete`).  |
+| **Action result**     | Whether the action was successful.                                 |
+| **Actor email**       | Email address of the user who performed the action.                |
+| **Actor IP address**  | IP address of the user who performed the action.                   |
+| **Actor type**        | Type of user that initiated the action.                            |
+| **Resource type**     | The type of resource that was changed.                             |
+| **Resource product**  | The Cloudflare product associated with the resource.               |
+
+## Export admin activity logs
+
+Enterprise users can export admin activity logs using [Logpush](/cloudflare-one/insights/logs/logpush/). For a list of all available fields, refer to [Audit Logs V2](/logs/logpush/logpush-job/datasets/account/audit_logs_v2/).
@@ -5,21 +5,28 @@ tags:
   - Logging
 sidebar:
   order: 3
+description: Review DNS queries, network traffic, and HTTP requests inspected by Gateway.
 ---
 
-import { Render, GlossaryTooltip } from "~/components";
+import { Render, GlossaryTooltip, DirectoryListing, InlineBadge } from "~/components";
+
+Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway.
+
+To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail.
+
+Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/).
+
+<DirectoryListing />
 
 :::note[Private source IP substitution]
 
 Gateway logs will only show the public IP address for the **Source IP** field. Private IP addresses are substituted by a public IP address via network address translation (NAT).
 
 :::
 
-Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) for sessions proxied by Gateway.
-
-To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail.
+## Log viewer <InlineBadge preset="beta" />
 
-Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/).
+Gateway activity logs use an updated log viewer with the following capabilities: filter by field, customize columns, view details by selecting a timestamp, and switch to the classic view. Querying for fewer fields improves log loading performance.
 
 ## Selective logging
 

@@ -4,7 +4,7 @@ title: Manage PII
 tags:
   - Privacy
 sidebar:
-  order: 3
+  order: 1
 ---
 
 Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII). By default, PII is redacted from Gateway Activity logs for all permission roles except the Super Administrator and users with the [Cloudflare Zero Trust PII role](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) assigned to them. Only the Super Administrator can assign roles and determine who has permission to view PII. Redacting PII does not affect the way PII is captured in logs as the data is simply hidden and no information is lost.

@@ -0,0 +1,17 @@
+---
+pcx_content_type: navigation
+title: Dashboard logs
+sidebar:
+  order: 1
+head:
+  - tag: title
+    content: Zero Trust dashboard logs
+---
+
+import { DirectoryListing } from "~/components";
+
+The following logs are available in the [Zero Trust dashboard](https://one.dash.cloudflare.com/).
+
+<DirectoryListing />
+
+For additional datasets and long-term log storage, refer to [Logpush](/cloudflare-one/insights/logs/logpush/).
@@ -2,13 +2,13 @@
 pcx_content_type: reference
 title: Posture logs
 sidebar:
-  order: 7
-
+  order: 8
+description: Monitor the results of device posture checks performed on your users' devices.
 ---
 
 Posture logs show the [device posture check](/cloudflare-one/reusable-components/posture-checks/) results reported by the Cloudflare One Client.
 
-To view device posture logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Logs** > **Posture**. Logs will only display if you have configured [device posture checks](/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization.
+To view device posture logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **Posture logs**. Logs will only display if you have configured [device posture checks](/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization.
 
 Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/).
 

@@ -1,11 +1,10 @@
 ---
 pcx_content_type: reference
-title: SCIM activity logs
+title: SCIM provisioning logs
 tags:
   - SCIM
 sidebar:
-  order: 3
-  label: SCIM logs
+  order: 7
 ---
 
 import { Render } from "~/components";
@@ -14,7 +13,7 @@ SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudf
 
 ## View SCIM logs
 
-For an overview of SCIM events across all users, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Logs** > **SCIM provisioning**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation.
+For an overview of SCIM events across all users, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **SCIM provisioning logs**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation.
 
 To investigate how SCIM events impacted a specific user, go to their [User Registry identity](/cloudflare-one/team-and-resources/users/users/).
 

@@ -0,0 +1,49 @@
+---
+pcx_content_type: reference
+title: SSH command logs
+sidebar:
+  order: 6
+description: Review SSH commands a user ran on a target.
+---
+
+SSH command logs record the commands that users run on infrastructure targets protected by [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). Use these logs to audit user activity on your SSH servers.
+
+To view SSH command logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **SSH command logs**.
+
+## Prerequisites
+
+To generate SSH command logs, you must:
+
+1. Set up [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH servers.
+2. [Enable SSH command logging](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) by uploading an encryption public key.
+
+## View SSH logs
+
+SSH command logs displayed in the dashboard are encrypted using a public key you provide. To view the contents of the logs:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs** > **SSH command logs**.
+2. Filter the logs using the name of your SSH application.
+3. Select the SSH session for which you want to export command logs.
+4. In the side panel, scroll down to **SSH logs** and select **Download**.
+5. Decrypt the log using the [SSH Logging CLI](https://github.com/cloudflare/ssh-log-cli/).
+
+## Explanation of the fields
+
+| Field                      | Description                                                                                     |
+| -------------------------- | ----------------------------------------------------------------------------------------------- |
+| **Session ID**             | Unique identifier for the SSH session.                                                          |
+| **User email**             | Email address of the user who initiated the SSH session.                                        |
+| **Target ID**              | Identifier of the infrastructure target being accessed.                                         |
+| **Client address**         | Source IP address of the SSH connection.                                                        |
+| **Server address**         | Destination IP address of the SSH server.                                                       |
+| **Session start datetime** | Timestamp when the SSH session started.                                                         |
+| **Session finish datetime**| Timestamp when the SSH session ended.                                                           |
+| **Program type**           | Type of SSH program (`shell`, `exec`, `x11`, `direct-tcpip`, or `forwarded-tcpip`).             |
+| **Payload**                | Captured request/response data in asciicast v2 format, including commands for `exec` programs. |
+| **Error**                  | SSH error message, if an error occurred.                                                        |
+
+## Export SSH logs with Logpush
+
+Enterprise users can export SSH command logs using [Logpush](/cloudflare-one/insights/logs/logpush/). Logpush payloads are not encrypted with a customer-provided public key.
+
+For a list of all available fields, refer to [SSH Logs](/logs/logpush/logpush-job/datasets/account/ssh_logs/).
@@ -2,8 +2,8 @@
 pcx_content_type: reference
 title: Tunnel audit logs
 sidebar:
-  order: 6
-
+  order: 9
+description: Review Cloudflare Tunnel connection events.
 ---
 
 Audit logs for Tunnel are available in the [account section of the Cloudflare dashboard](https://dash.cloudflare.com/?account=audit-log) which you can find by selecting your name or email in the upper right-hand corner of the dashboard. The following actions are logged:

@@ -1,8 +1,8 @@
 ---
-title: Enable Email security logs
+title: Email security logs
 pcx_content_type: how-to
 sidebar:
-  order: 9
+  order: 1
 ---
 
 import { DashButton } from "~/components";

@@ -1,13 +1,17 @@
 ---
-title: Use Logpush with IDS
-pcx_content_type: concept
+title: IDS logs
+pcx_content_type: how-to
+sidebar:
+  order: 2
 ---
 
-You can use Logpush with Cloudflare Network Firewall IDS to log detected risks:
+You can use Logpush with Cloudflare Network Firewall IDS to log detected risks.
+
+## Set up Logpush for IDS
 
 1. Consult the [Logpush Destination docs](/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush.
 
-2. Follow the [Manage Lopush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job.
+2. Follow the [Manage Logpush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job.
 
 ## Notes on using Logpush with IDS